Update (05/14): The Pathé website is back online. However, the infection is still there and it is again redirecting visitors to Angler and CryptXXX.

Update (05/13):

Pathé has acknowledged the issue and put their site in maintenance mode in order to fix it.

The other good news is that there is a new version of the decrypter tool for CryptXXX 2.x. We have tested it and it works well.

– –

Pathé, a major French film production and distribution company is serving ransomware via one of its websites, pathe[.]fr. The film company has a rich history that predates Universal Studios and Paramount Pictures, and is famous for inventing the newsreel in 1908.

We detected that their server hosting pathe[.]fr was compromised with malicious code embedded inside of its pages, responsible for automatically redirecting unsuspecting visitors to the Angler exploit kit.

Angler serves its own ransomware, dubbed CryptXXX which recently received an update to defeat an existing decryption tool that could once restore files to their original non-encrypted state. In addition, the ransomware now prevents the user from using their computer at all, by locking their desktop with a fullscreen ransom note.

July 15, 2016 - The Neutrino developers have made some changes to the landing page source code as well as integrated a new exploit. The malware campaigns that once were Angler's continue to point to Neutrino including a large malvertising attack on top adult sites we detected a few days ago.

June 17, 2016 - For those tracking exploit kits, the disappearance of the Angler exploit kit last week was a major event. While a lot of questions remain, several clues pointed out that this was no ordinary break, and that something deeper was likely going on. After about ten days without Angler EK, we take a look at the exploit kit landscape.

May 25, 2016 - A well known malvertising gang famous for its use of the fingerprinting technique and other evasion tricks to bypass security checks has been ramping up its activity against many different ad platforms to push malware via top websites. The setup for these malvertising attacks relies on a combination of techniques that start with the fraudulent advertiser choosing a victim, typically a legitimate website in the retail, or legal business.